old school hacking : exploiting unix wildcards

46
OLD SCHOOL HACKING Exploiting UNIX Wildcards Emir Fares BELMAHDI [email protected] @ emirfares www.emirfares.com

Upload: emir-fares-belmahdi

Post on 16-Jul-2015

514 views

Category:

Education


1 download

TRANSCRIPT

Page 1: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

O L D S C H O O L HACKINGExploiting UNIX Wildcards

Emir Fares BELMAHDI

[email protected]@emirfares

www.emirfares.com

Page 2: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

FOUR PARTS

About Wildcards Exploiting Wildcards Some useful tricks

Conclusion

Page 3: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

ABOUT WILDCARDS

Page 4: OLD SCHOOL HACKING : Exploiting UNIX Wildcards
Page 5: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

• A character used to substitute for any other character or characters

• Used in regular expressions

• Commonly used in shell commands in Linux and other Unix-like operatingsystems

• In this case wildcards are interpreted by shell before any action

Page 6: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

* matches any number of characters in a

filename, including none

? matches any single character.

[ ] Brackets enclose a set of characters,

any one of which may match a single

character

- A hyphen used within [ ] denotes a

range of characters.

~ A tilde at the beginning of a word

expands to the name of your home

directory. If you append another user's

login name to the character, it refers to

that user's home directory.

Page 7: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

cat e*

cat te?t.php

cat file[123456789].txt

cat file[1-9].txt

ls ~

ls ~blackfox

Page 8: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

EXPLOITING WILDCARDS

Page 9: OLD SCHOOL HACKING : Exploiting UNIX Wildcards
Page 10: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

Files beginning with (-) character are interpreted as command linearguements

Page 11: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

Folder containing some files

File1File2

--help

Page 12: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

cat * User executs command

File1File2

--help

Page 13: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

cat *

File1File2

--help

cat File1.txt

File content

OK !

Page 14: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

cat *

File1File2

--help

cat File2.php

File content

OK !

Page 15: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

cat *

File1File2

--help

cat --help

“cat” command help &usage

MAGIC !

Page 16: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

USING STRACE

Page 17: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

blackfox@dojo:~/wildcards$ strace cat *

Page 18: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

blackfox@dojo:~/wildcards$ strace cat *

execve("/bin/cat", ["cat", "File1.txt", "File2.txt", "--help"],[/* 69 vars */]) = 0

Page 19: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

blackfox@dojo:~/wildcards$ strace cat *

execve("/bin/cat", ["cat", "File1.txt", "File2.txt", "--help"],[/* 69 vars */]) = 0

1st file 2nd file 3rd file

Page 20: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

blackfox@dojo:~/wildcards$ strace cat *

execve("/bin/cat", ["cat", "File1.txt", "File2.txt", "--help"],[/* 69 vars */]) = 0

/bin/cat File1.txt File2.txt --help

1st file 2nd file 3rd file

Page 21: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

DEMO

Page 22: OLD SCHOOL HACKING : Exploiting UNIX Wildcards
Page 23: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

USEFUL TRICKS

Page 24: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

CHOWN

Page 25: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

blackfox@dojo:~/wildcards$ echo > ''.some_hidden_file''

blackfox@dojo:~/wildcards$ chown user:user .some_hidden_file

blackfox@dojo:~/wildcards$ echo > ''--reference=.some_hidden_file''

Page 26: OLD SCHOOL HACKING : Exploiting UNIX Wildcards
Page 27: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

CHMOD

Page 28: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

blackfox@dojo:~/wildcards$ echo > ''.some_hidden_file''

blackfox@dojo:~/wildcards$ chmod 777 .some_hidden_file

blackfox@dojo:~/wildcards$ echo > ''--reference=.some_hidden_file''

Page 29: OLD SCHOOL HACKING : Exploiting UNIX Wildcards
Page 30: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

REAL LIFE SCENARIOGETTING ROOT ACCESS

Page 31: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

From tar help manual (see: tar --help)

--checkpoint[=NUMBER] : display progress messages every NUMBERth record (default 10)

--checkpoint-action=ACTION : execute ACTION on each checkpoint

Page 32: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

executing arbitrary commands with privileges of the user thatruns “tar”

Page 33: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

Let's imagine a backup script

Page 34: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

DEMO

Page 35: OLD SCHOOL HACKING : Exploiting UNIX Wildcards
Page 36: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

CONCLUSION

Page 37: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

NEVER TRUST INPUTS

Page 38: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

Filter file names

Page 39: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

AVOID USING WILDCARDS AS A PRIVILEGED USER

(ROOT)

Page 40: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

Create a simple user instead

Page 41: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

OR

Page 42: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

DON'T USE WILDCARDSAT ALL!

Page 43: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

Create your own scripts with samefeatures

Page 44: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

ALWAYS TEST YOUR SECURITY

Page 45: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

Pentesting is important to detect vulnerabilities or misconfigurations

Page 46: OLD SCHOOL HACKING : Exploiting UNIX Wildcards

QUESTIONS?

Emir Fares BELMAHDI

[email protected] @emirfares

www.emirfares.com